Proxmark3 developers community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

#1 2020-09-06 13:00:19

easyeasy
Contributor
Registered: 2020-09-06
Posts: 10

Poxmark3 Easy howto snoop Mifare on the go

Here's some things discovered to sniff mifare card-reader communication with Proxmark3 Easy:

PACKAGE:
Throw away mid-board and turn LF antenna upside down. It works as usual but device slimmer.

USB:
Put some compound glue or resin on usb connector because it will break.

USB-OTG:
Get wire not adapter because it applies less force on your phone and PM3 connector.

ANDROID:
AndProx works well, but not with Iceman's firmware. But on computer Iceman's Client works only with Iceman's firmware. So,
+ On computer (mac) i just connect PM3 to usb with BUTTON pressed on, 2 lights are shining, and execute PM3-Flash-All
+ On android: Download Proxmark 3 mainline Bootrom and Fullimage from AndProx Github to Android phone. Then using RRG's Rfid Tools (Tools -> PM3 Firmware Flasher -> Custom firmware) flash Bootrom and Fullimage to the PM3. Now you can go on Android with AndProx.

ON THE GO:
On AndProx start hf 14a snoop and find the right spot on your hf antenna with reader. When PM3 is placed correctly the ORANGE light (2nd from usb) is blinking. This light indicates communication with reader, and believe me, you need it. Place KEY on the PM in found spot and present the sandwitch to the reader. Normal situation is when both ORANGE and RED lights are blinking.

SNOOPING:
Restart PM3 by going back to start screen of AndProx and sometimes reconnecting PM3 to the phone. Start hf 14a snoop and slowly present device with key to the reader. When key read is complete, remove the PM3 with key and push the only button on PM3. Then start hf list 14a. Select all output and copy/paste it to some Notes app like Turtl (it converts plaintext to table, handy).

ANALYZE:
On computer look through tables and find sequence like this:

Tag	01 20 01 45		
Rdr	e2! e2! 09 b3 2e! 80! d5 c1!							!crc	?
Tag	14 69 37 6a!		
Rdr	0b! 3d 69! b6									!crc	?
Tag	4e! e9! fe! 47 4e! c7 eb e0 0e! 54! 80 16 f1 01! 3d e0!		
	da! a4!										!crc	
Tag	5a 09! 5a! 49 5f 11 9c 26! 45! c2 f9 ea! 80! 36 04! 07!		
	76! 62										!crc	

Good sequence is like this:

Tag | 8 digits				|NT
Rdr | 16 digits (with ? mark)		|NR & AR
Tag | 8 digits				|AT
...

Other patterns are no-go.

Find on your computer where Proxmark3 is and from it's directory (in terminal app, outside PM3 app) start mfkey64 like this (removing spaces and ! marks):
tools/mfkey/mfkey64 [UID] [NT] [NR] [AR] [AT]
Example for the given code:
tools/mfkey/mfkey64 5A04E566 01200145 e2e209b3 2e80d5c1 1469376a
Where:
5A04E566    UID
01200145    NT
e2e209b3    NR
2e80d5c1    AR
1469376a    AT

UID can be obtained by hf search command.

You will get key (presumably 0 sector, A) and then try numerous attacks from PM3

P.S.
I didnt found good use to hf sniff and hf list mf commands in my working environment.

Offline

Board footer

Powered by FluxBB